Remember, if the device was restored from an iCloud backup, you will have to look beyond the GuessedCountry as it may reflect an older wipe date. We recommend you examine the GuessedCountry from this plist to get a good grip on the first time the phone was successfully booted after a wipe and when the country was presented to the user upon that boot (mine suggested United States). In summary, there are many dates accessible in, which is accessible even by using an iTunes backup.
Addressbook aid2 full manual#
If that is not possible, you are going to have to examine the creation dates and usage of the device, which will be a manual process. For iCloud restores, we recommend obtaining a full-file-system extraction and examining the artifacts mentioned later in this blog. If the SetupState is RestoredFromiCloudBackup, the date may reflect an old wipe from the restored device. To rely on this time, please make sure the SetupState is SetupUsingAssistant. One of the first screens the user will see is “Select Your Country or Region,” which is represented as GuessedCountry inside of this plist. You have to think that when the user presses the button to “Erase All Content and Settings” and proceeds, there may be a few minutes between that action and when the phone actually boots up as a “freshly-wiped” device. Within the, we see a timestamp for GuessedCountry on at 7:13:13 PM, which is around the time Heather was setting up the iOS device after wiping it. The first is going to reside within the, which contains useful dates and is accessible using most iOS acquisition methods including iTunes backups all the way to full-file system extractions. We are going to share a few of our favorite ones that we have relied upon over the years to aid in detecting the correct wipe date. There are several files that you will find that support the correct datetime when an iOS device was wiped. And for that possibility alone, we are ignoring this file. You may find some devices that are wiped and immediately set up, which is fine, but you may also come across some that aren’t fully set up for days or months.
In summary, the SetupLastExit is tracking the phone setup and all changes made there. If you recently wiped and set up a device, you see that red alert in the device to “Finish Setting Up Your iPhone.” This time reflects when we updated Ruth’s Apple Pay. So really, it reflects the last time the user of the device changed something in the Settings screen.įor our test device, while the date is correct for the wipe time, you can see that SetupLastExit occurred a few hours after the wipe. If you change your credit card for Apple Pay down the road, this timestamp will be updated. When you go back and add those items, this timestamp is changed. For example, when you set up an iPhone, you can ignore Wallet and other settings. There are many factors that can impact this timestamp. This date is NOT the best indication of when a device was wiped. Up first, the SetupLastExit date found in /root/private/var/mobile/Library/Preferences/. We want to first identify files that are not as reliable as the others we discuss in this blog.
Some examiner’s rely on dates that are parsed by tools or that seem to make sense based upon how the artifact is named. So, in local time, the wipe occurred at 3:08 PM.Īs always, we validated our findings across several devices to include an iPhoneSE (running iOS 13.7) and an iPhone 6S (running iOS 14.2). During this time, the offset from UTC is GMT-4 to hit Eastern Daylight Time.
0 kommentar(er)
